Neil J. RubenkingNorton Internet Security 2005 AntiSpyware EditionNIS+ clearly works better in a preventative capacity than as a cleanup tool for an already infested system. Our biggest concern is that it is unable to remove some of the threats it detects, but this is an early version. We can only hope user feedback from the public beta will result in a much improved final product.

NIS+ clearly works better in a preventative capacity than as a cleanup tool for an already infested system. Our biggest concern is that it is unable to remove some of the threats it detects, but this is an early version. We can only hope user feedback from the public beta will result in a much improved final product.

Symantec's Norton Internet Security 2005 AntiSpyware Edition (NIS+) was released to public beta testing last week. Anyone can download it at https://www-secure.symantec.com/public_beta/ and use it during the beta test period, which ends June 1. According to Symantec, the addition of spyware protection is the only significant change from the previous NIS 2005. Because it's beta, we didn't run NIS+ through our full antispyware test, but we did put it through a fairly taxing ringer, pitting it against Webroot's Spy Sweeper 3.5, our current Editors' Choice for standalone antispyware.

To set up our test bed, we configured a pristine VMware 5 virtual machinewe weren't about to release malicious software on an actual, physical computer. Then we downloaded the install files for both NIS+ and Spy Sweeper, at which point we saved a snapshot of the system and went hunting for wild spyware. We visited three sites known for installing spyware and allowed Microsoft Internet Explorer to install their ActiveX controls. We also installed two popular peer-to-peer file-sharing programs plus all of the "extras" they bring along, and then uninstalled the file-sharing apps themselves. As the infested system chugged along, we observed numerous unrequested browser windows and pop-ups, some of which apparently dumped additional spyware on the system. Finally, we saved a snapshot of the system in its unpleasantly infested state.

Installing NIS+ on a system bogged down by spyware was a bit challenging. Still, we got it running and immediately began receiving warnings from the firewall and real-time scanning modules, even before the product's post-restart full configuration. For each real-time warning of a spyware risk, it recommended that we use the Scan Now option; our other choices were to exclude the item from scanning or ignore it for 30 minutes. We found that the Scan Now option launched a quick scan, checking only the most likely locations for spyware. To give the product maximum opportunity for success, we started over and ran a full system scan.

NIS+ detected 31 threats but was able to remove only 18 of them. It's common for a badly infested system to require multiple rounds of cleanup; we restarted and ran the full scan again. Twice the system experienced a blue-screen crash during the scan; the third time it ran to completion. This time it removed all but six of the remaining threats, but those remained present through repeated restart and rescan cycles.

Having given NIS+ a fair shot at cleaning up the system, we uninstalled it and loaded Spy Sweeper 3.5. Not counting mere tracking cookies, Spy Sweeper reported 20 threats left behind by NIS+, and it did so in 12 minutes; a full scan with NIS+ took almost 30 minutes. Analysis of the log files revealed that 10 of these were nonexecutable remnantsRegistry entries and data files. While such items take up space, they're not actively harmful. But the other 10 were actual executable spyware programs or DLL files missed by NIS+. As it turned out, even Spy Sweeper was unable to remove two of these (iSearch and Istbar). According to Webroot, Spy Sweeper 4.0 (due to be reviewed later this month) will be able to remove both iSearch and Istbar, as well as other complex variants and traces.

At this point we restored the virtual machine back to the spyware-infested snapshot and repeated the process, this time running Spy Sweeper first and NIS+ second. The NIS+ installation went much more smoothly this time, since Spy Sweeper had swept out almost all of the spyware. NIS+ detected (but didn't remove) the same two items left behind by Spy Sweeper. It didn't catch anything else that Spy Sweeper had missed.

Our testing to this point simulates a user who purchases an antispyware tool to clean up a system that's already seriously infested. The clever user will have a spyware solution in place ahead of time, preventing the infestation rather than removing it. To check this facet of NIS+, we reverted to the pristine virtual machine snapshot, installed NIS+, and ran a full scan to verify that the system was clean. We then visited the same three sites and installed/uninstalled the same file-sharing software.

Upon encountering our first spyware sample, NIS+ immediately noticed the threat that it calls Adware.CDT, though it didn't block the installation. We chose the Scan Now option and asked it to remove the threat, which it failed to do. The real-time scanner detected the next spyware threat as soon as it launched, and the firewall blocked its attempt to connect with the outside world. This time, NIS+ reported that the Istbar threat was removed, although a follow-up scan showed it was still present. After a restart and full scan, NIS+ reported that the system was clean. Just to be sure, we installed and ran Spy Sweeper. Spy Sweeper found a copy of an Istbar-related DLL, but it was not active.

The ActiveX control loaded by our third test site killed and restarted the Explorer.exe process, which had the effect of eliminating the NIS+ icon from the system tray. But NIS+ was still running and detected the installation right away. Its QuickScan reported successful removal of Adware.Look2Me, but even as we viewed that report, a pop-up window appeared and displayed an advertisement; a clear sign that something was missed. We rebooted and ran a full scan. NIS+ reported no problems, but unwanted windows kept appearing. Once again, we followed up with Spy Sweeper, which found inactive traces of two threats along with executable elements of Look2Me. In the end, neither tool was successful; the unwanted pop-ups continued. We reverted back to a clean virtual machinescore one for spyware.

While we installed and uninstalled our P2P applications, NIS+ stopped quite a few unwanted connections and reported several threats. A full scan removed two threatsamong them a Trojan horseand left three to the user's discretion. We chose to remove all items, and NIS+ was mostly successful. A follow-up scan with Spy Sweeper, however, identified remnants of five threats, but only one of them included executable files.

NIS+ clearly works better in a preventative capacity than as a cleanup tool for an already infested system. Though its real-time checking doesn't block the initial installation of spyware, it recognizes threats as soon as they run, and its firewall module blocks malicious programs from Internet and network access. This real-time blocking of spyware activity strengthens the product's scanning and removal facility: It cleared up all but one threat, which also got past Spy Sweeper.

During our testing with an already infested system, Spy Sweeper found a number of active threats that NIS+ missed. Of course, there is no widespread agreement as to precisely what constitutes spyware. For example, both Spy Sweeper and NIS+ consider Gator a threat, while McAfee has just announced that it does not. Of greater concern is that in several cases, NIS+ detected threats but couldn't remove them. We'll revisit this product when it moves from beta testing to final release.

The antispyware market is still in its early stages, and although the tools are getting better, the bad guys are currently winning. We like the idea of spyware protection being an integral part of a security suitemost users can't and shouldn't know the difference between one type of malware and anotherand given the generally high quality of Symantec's other consumer security tools, we have high hopes for NIS+'s ability to fight spyware. We weren't especially impressed with its performance in this early version, based on our preliminary tests, but we hope user feedback from the public beta will result in a much improved final product.

Norton Internet Security 2005 AntiSpyware Edition

Bottom Line: NIS+ clearly works better in a preventative capacity than as a cleanup tool for an already infested system. Our biggest concern is that it is unable to remove some of the threats it detects, but this is an early version. We can only hope user feedback from the public beta will result in a much improved final product.

Read More

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Norton Internet Security 2005 A...

Norton Internet Security 2005 AntiSpyware Edition

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.